himalaya
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill enables the agent to read external email content which is an untrusted data source. This content can contain instructions intended to manipulate the agent's behavior.
- Ingestion points: Email bodies and headers read via the 'himalaya message read' command.
- Boundary markers: No delimiters or 'ignore' instructions are provided in the skill documentation to isolate email content from system instructions.
- Capability inventory: The skill provides impactful capabilities including sending messages ('himalaya message write'), deleting messages ('himalaya message delete'), and downloading attachments.
- Sanitization: No sanitization or validation of the email content is documented.
- [COMMAND_EXECUTION]: CLI and Shell Interaction. The skill functions by executing 'himalaya' shell commands. This interaction pattern includes executing authentication commands (e.g., using 'pass') and requires the agent platform to strictly validate all arguments (like message IDs and folder names) to prevent command injection.
Audit Metadata